A recent visit to an annual regional security conference left me both somewhat dazed – lots of flashing fire, smoke, red lights and sirens (though no fire engines) – and confused. Because, in amongst the plethora of alerting and analysis technologies, big data being at the vanguard, there was a limited, mixed message, technology-dependent paint spatter of holistic Incident response.
I believe this just doesn’t cut it anymore – if it ever did! – and that there needs to be an organisational-driven approach within the enterprise. This should be predicated on the assumption (a very reasonable one, I would argue, from the available evidence) that the bad guys are already in your environment, raising the thorny question: how does any enterprise deal with that in a timely and controlled manner, while keeping the business a priority?
No smoke without fire
I have been thinking about an upcoming Global Risk Analysis initiative, challenging myself and indeed the very methods I have previously used to conduct such an exercise to seek out and identify anything I have been missing. There it is in front of me, hidden in view, front and centre: masses and masses of data on vulnerability scans, telemetry from copious security controls and infrastructure that I’ve been overlooking.
So I have to ask myself the question: as an enterprise, why don’t I use this information to help me reinforce my areas of risk? After all, if they are ‘hot spots’ on a heat map, shouldn’t I be taking notice? I anticipate this angle will possibly be baulked at by the more traditional devotees to Risk Assessment who would follow a Q&A type approach.
Eureka moment
In fact, now that I think of it, Information Security Risk is really a set of complex interleaved angles that we, technology, infrastructure, attackers, defenders and the business impose on our operational existence. Interleaving the information previously mentioned with the results of a global Business Impact Analysis, I can see the hotspots of ‘risk’, but what am I going to do about them? I have to admit I think of emergency responders who are better trained and experienced than the average member of the public, and they provide an excellent service that we trust and use constantly.
Incident Response Culture
The analysts have constantly asserted the shortage of reliable, experienced security professionals; indeed, the necessity to retain these valued assets. As we raise the security awareness of our employees, we can attune them into the mindset of incident response, flowering this approach into an Incident Response culture within the enterprise.
If you, as an enterprise, are lucky enough to have an incident response team that is well drilled and experienced in containing and treating risks that have evolved into incidents, then you are in a good place, with ample budget. However, are you, the CISO, of a mindset where you are willing and prepared to “assume the bad guys are already in”? Not the ‘if’ or ‘when’ of your organisation coming under attack, but the here and now of it. If so, then you can accept the reality that ‘it is what it is’. And then, and only then, move forward to having an emergency responder-type service culture within your enterprise.
One team, one fight
It’s time to rethink the balance of cost between available reliable, agile incident response teams in an enterprise and the availability of specialist services. We can’t boil the ocean, so let’s not try. Why not review the approach and investigate risk transference – or an insurance policy that works in practice, as well as on paper? It is all about the business, after all.